CONFIDENTIALITY OF RECORDS

AND MANAGED CARE:

LEGAL AND ETHICAL ISSUES

Ruth Clifford, Ph.D.

I. SUMMARY OF ISSUES

A. ISSUE:

Managed care companies usually require information beyond what is needed to make a decision about "medical necessity," such as HIV risk factors, ratings of functioning in all areas of the person's life, routine details about consumption of alcohol and drugs, family mental health history, Axis III diagnoses. Such information can be used for purposes contrary to the client's interest, such as future refusal of insurance, raises in premiums, and potential employer or school discrimination.

Note: The Ethical Principles of Psychologists and Code of Conduct allows psychologists to disclose information without the consent of the client "to obtain payment for services, in which instance disclosure is limited to the minimum that is necessary to achieve the purpose." (5.05)

The Principles for the Provision of Mental Health and Substance Abuse Treatment Services: A Bill of Rights, which was adopted last fall by most of the national mental health professional associations, states that "individuals shall not be required to disclose confidential, privileged or other information other than: diagnosis, prognosis, type of treatment, time and length of treatment, and cost."

See California Civil Code, Section 56.10 (c)(2 and 4).

B. ISSUE:

Provider contracts allow for inspections of full charts by managed care representatives, for National Committee for Quality Assurance certification and/or Knox Keene law requirements for state oversight of HMOs. The latter may involve random audits of full charts by the Commissioner of Corporations. Clients thus lose their ability to protect certain portions of their records from release.

See California Health and Safety Code, Sections 1381.

C. ISSUE:

In requesting client information, managed care companies sometimes allude to Department of Corporation's requirements for complying with "professional standards of practice." In 1993, the American Psychological Association adopted Record-Keeping Guidelines which describe appropriate content of treatment records in GENERAL terms, not at all like the level of detail routinely requested by managed care companies. The Guidelines state, "Psychologists maintain records in sufficient detail for regulatory and administrative review." However, they do not state who determines "sufficiency of detail."

D. ISSUE:

Some contracts require that records be retained and made available for inspection even after the contract is terminated. Thus the provider cannot cancel his or her contract in order to protect existing records.

The interdisciplinary Bill of Rights states, "Any disclosure to another party will be time limited."

See California Civil Code, Section 56.11.

E. ISSUE:

Waivers signed by clients with the managed care company are usually general and vague. Yet the law requires that a valid release be specific concerning the purpose for which the information is being released and the person or persons who will receive it.

According to the interdisciplinary Bill of Rights, "Any disclosure to another party will be made with the full written, informed consent of the individuals."

See California Civil Code, Section 56.11.

F. ISSUE:

Managed care companies handle confidential information carelessly. Examples include: lost reports, noted by 59% of a 1993 survey sample of San Francisco Bay Area psychologists; authorizations mailed or faxed to the wrong person; charts accidentally switched; and information about clients exchanged between HMO and employer without client authorization.

See California Health and Safety Code, Section 1374.8.

G. ISSUE:

Companies may state on their client information forms, "Responses are confidential." However, the extent and limits of confidentiality are not explained; neither the client nor the provider knows what methods are in place to ensure confidentiality; and there are virtually no enforcement mechanisms in case of a breach.

Some unknowns include: How is information coded and stored within the managed care company? What protections does the company use to maintain confidentiality of the information? Does the company sell or pass along that information to a databank or other entity? What happens to the information if the company is bought out by another company? When and how is the information discarded?

The interdisciplinary Bill of Rights states, "Entities receiving information for the purposes of benefits determination, public agencies receiving information for health care planning, or any other organization with legitimate right to information will maintain clinical information in confidence with the same rigor and be subject to the same penalties for violation as is the direct provider of care."

See California Insurance Code, Section 791, and Civil Code, Sections 1798 and 56.13.

H. ISSUE:

Clients are usually unaware of the vulnerability of their information to unknown outsiders, once it is passed along to managed care and governmental bureaucracies. The increased use of computerization and transmission of personal, individually identified data via modem, fax, phone or mail make accidental leaks of information more likely. In addition, intentional leaks, whether official, for example through private or governmental databanks, or unofficial, are increasingly being documented.

According to the interdisciplinary Bill of Rights, "Information technology will be used for transmission, storage, or data management only with methodologies that remove individual identifying information and assure the protection of the individual's privacy. Information should not be transferred, sold, or otherwise utilized."

The Ethical Principles of Psychologists and Code of Conduct requires informing clients of the limits of confidentiality (5.01).

See California Civil Code, Section 56.13.

I. ISSUE:

Some provider contracts with managed care companies require the provider to agree to obtain releases from clients who have already received treatment for records audits. The right of clients to refuse consent is not mentioned.

J. ISSUE:

Providers may be asked to volunteer to participate in outcome studies on their work, which includes that the provider obtains clients' cooperation to fill out questionnaires about their history and symptoms for the managed care company. In some cases, priority access to referrals is offered as an incentive to the provider to volunteer. However, the instructions the provider is told to give the client fail to mention this fact, and instead state that cooperation is an essential part of their treatment. The client's right to refuse to participate in this outcome research is minimized.

K. ISSUE:

Some managed care companies are now requiring providers to report to case managers within twenty-four hours any case that has a high risk potential for either the client, a second party, the client company (employer), or the managed care company. Examples include danger to self or others, suspected child abuse, potential threats to national security or the client organization, client's request for records, complaint about EAP services or threat of a lawsuit, and potential involvement in litigation including confession or knowledge of criminal activity. Nothing is said about the client's privacy or right to release information, or what will be done with the information that is shared.

The psychologist's duties to the managed care company are given priority over his/her obligation to avoid harming her/his clients (Ethical Principles, 1.15).

II. APPLICABLE CALIFORNIA LAWS

Relevant sections of California codes are summarized below.

Constitution: Article 1, Section 1:

"All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." (emphasis added)

Business and Professional Code, Section 1012:

"As used in this article, 'confidential communication between patient and psychotherapist' means information, including information obtained by an examination of the patient, transmitted between a patient and his psychotherapist in the course of that relationship and in confidence by a means which, so far as the patient is aware, discloses the information to no third persons other than those who are present to further the interest of the patient in the consultation, or those to whom disclosure is reasonably necessary for the transmission of the information or the accomplishment of the purpose for which the psychotherapist is consulted, and includes a diagnosis made and the advice given by the psychotherapist in the course of the relationship."

Business and Professional Code, Section 2263:

"The willful, unauthorized violation of professional confidence constitutes unprofessional conduct."

Civil Code Section 56.11:

This section spells out in detail what constitutes a valid authorization for release of medical information, including the name or functions of the persons or entities authorized to receive the medical information, and the specific uses and limitations on the use of the information by those authorized to receive it. Additionally, the release must include a date after which the provider is no longer authorized to disclose the information.

Civil Code Section 56.10:

"(a) No provider of health care shall disclose medical information regarding a patient of the provider without first obtaining an authorization, except as provided in subdivision (b) or (c).

(b) A provider of health care shall disclose medical information if the disclosure is compelled by any of the following:" (conditions such as court order or required by law are listed)

(c) A provider of health care may (emphasis added) disclose medical information as follows:..

  1. (recipients who are other health care providers are listed)
  2. The information may be disclosed to an insurer, employer, health care service plan, hospital service plan, employee benefit plan, governmental authority, or any other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made...
  3. The information may be disclosed to any person or entity that provides billing, claims management, medical data processing, or other administrative services for providers or for any of the persons or entities specified in paragraph (2). However, no information so disclosed shall be further disclosed by the recipient in any way which would be violative of this part.
  4. The information may be disclosed to organized committees and agents of professional societies or of medical staffs of licensed hospitals, or to professional standards review organizations, or to persons or organizations insuring, responsible for, or defending professional liability which a provider may incur, if the committees, agents organizations, or persons are engaged in reviewing the competence or qualifications of health care professionals or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges." (emphasis added.)

The access of review agents appears to be as broad as they wish. I am not aware of any state law that specifies what types of information are considered necessary to the purposes listed and what would be superfluous or overreaching.

Civil Code, Section 56.13

This section prohibits further disclosure of the information by the recipient, "except in accordance with a new authorization that meets the requirements of Section 56.11, or as specifically required or permitted by other provisions of this chapter or by law." How applicable this is to managed care companies' disclosures of information is unclear.

Health and Safety Code, Section 1381 (Knox-Keene Health Care Service Plans Act):

"All records, books, and papers of a plan, management company, solicitor, solicitor firm, and any provider or subcontractor providing health care or other services to a plan, management company, solicitor, or solicitor firm shall be open to inspection during normal business hours by the Commissioner (of Corporations)."

Health and Safety Code, Section 1374.8 (added in January, 1995):

"A health care service plan shall not release any information to an employer that would directly or indirectly indicate to the employer that an employee is receiving or has received services from a health care provider covered by the plan unless authorized to do so by the employee."

Information Practices Act, Civil Code, Section 1798:

State agencies which gather personal and confidential information about individuals must follow certain general rules to protect the security of the information. These include filing an annual report with the Office of Information Practices describing the type of information collected, its major uses, any disclosures made by the agency, and policies for retention and disposal of the information.

Insurance Information and Privacy Protection Act, Insurance Code, Section 791:

Insurance companies must provide a notice of information practices to all applicants

a) at the time of delivery of their certificate of coverage, or

b) at the time of collection of information from another source.

The disclosure must specify the nature of the information and purpose of its collection.

Section 791.02 says that this act does not govern "group practice prepayment health care service plans regulated pursuant to the Knox-Keene Health Care Service Plans Act," i.e., HMOs.

Civil Code Section 56.05

"Medical information" means any individually identifiable information in possession of or derived from a provider of health care regarding a patient's medical history, mental or physical condition, or treatment. But see Section 56.16:

Civil Code Section 56.16:

"Unless there is a specific written request by the patient to the contrary, nothing in this part shall be construed to prevent a provider, upon an inquiry concerning a specific patient, from releasing at its discretion any of the following information: the patient's name, address, age, and sex; a general description of the reason for treatment, the general nature of the injury... or other condition; the general condition of the patient; and any information that is not medical information as defined in Section 56.05."

Section 56.16 seems to be in conflict with the sections described above from the Business and Professional Code. Is psychotherapists' information exempt from this provision? What about information given to a psychiatrist who is not providing psychotherapy but prescribing medication? What about mental health information obtained by a general practitioner, family practitioner, internist, gynecologist, or emergency room physician ?

III. Federal bills addressing confidentiality:

Currently there are no federal laws concerning confidentiality of medical records.

Supreme Court decision in Jaffee v. Redmond:

On June 13, 1996, the Court ruled that there is a broad federal privilege protecting the confidentiality of communication between psychotherapists and their clients. The ruling applies to psychiatrists, psychologists and social workers. Writing for the 7-2 majority, Justice John Paul Stevens stated, "The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance."

The Health Insurance Reform Act (Kennedy-Kassebaum bill) signed into law on August 21, 1996, establishes a medical databank within the Department of Health and Human Services. Rules about confidentiality of the information are left to be created by Congress, or if Congress fails to act within three years, by the Secretary of HHS. Operation of the data bank is set to predate the deadline for confidentiality standards!

Three relevant bills are currently under consideration in Congress. Each one states that it would not preempt more stringent state protections of mental health information. These bills are: Medical Records Confidentiality Act, S. 1360, Robert Bennett; Fair Health Information Practices Act, H.R. 52, Gary Condit; and Medical Privacy in the Age of New Technologies Act, H.R. 3482, James McDermott.

IV. Current state legislative interest in medical records confidentiality:

Hearings of Senate Committee on Insurance on January 15, 1997

SB 1659 Joint Task Force on Personal Information and Privacy

SB 1109 Health Policy and Data Advisory Commission

Rosenthal bill: SB 1670 (1996; held in committee)

Alby bill: AB 224 (introduced in 1997)

Peace bill: SB 1062 (introduced in 1997; sponsored by CPA)

V. POSSIBLE LEGISLATIVE REMEDIES:

Laws that define the type of information that may be requested to determine "medical necessity."


BIBLIOGRAPHY

Ruth Clifford and Glory Denkers, Managed care "quality control": Intrusions on independent practice. San Mateo County Psychological Association Newsletter, Winter, 1995, 1 ff.

Alice Dembner, Psychiatrist warns of easy access to patients' records. Boston Globe, May 5, 1997, B2.

Glory Denkers and Ruth Clifford, A survey of psychologists' experiences with managed care: Consumer issues. Unpublished report, June, 1993.

Christine Gorman, Who's looking at your files? Time, May 6, 1996.

Linda Greenhouse, Justices recognize confidential privilege between therapist and patient. New York Times, June 14, 1996.

Gina Kolata, When patients' records are commodities for sale. New York Times, November 15, 1995, A1 ff.

Leslie Laurence, Who's reading your mind? Managed care makes it easier to see a therapist; it also makes it easier for others to see your mental health files. Glamour, May, 1997, 84 ff.

Tamar Lewin, Questions of privacy roil arena of psychotherapy. New York Times, May 22, 1996, A1 ff.

Brigid McMenamin, It can't happen here. How would you like to live in a state that keeps your personal medical records in a big central database? Forbes, May 20, 1996, 252-ff.

John Riley, When you can't keep a secret: Insurers' cost-cutters demand your medical details. Newsday, April 1, 1996, A7 ff.

Rothfeder, Jeffrey, Privacy for Sale: How Computerization Has Made Everyone's Private Life an Open Secret. New York: Simon & Schuster, 1992. (includes substantial information about medical records privacy)

Ellen Schultz, Open secrets: Medical data gathered by firms can prove less than confidential. Wall Street Journal, May 18, 1994, A1 ff.

Lee Smith, It's not creepy, it's a wonder drug! Can Prozac cut health costs? Fortune, May 12, 1997.

(Author unspecified) Who's reading your medical records? Consumer Reports, October, 1994, 628-632.


May 13, 1997

Write to the author: Ruth Clifford, Ph.D., President, CCEMHC

.


Webmaster's Comments.

I dared to highlight a couple of areas here and a one or two hyperlinks however I will not do more than that since I'm afraid that it might distract from the author's message which is a pretty good one also due to the fact that this is California Law such law is very close to Florida law and I want to show the Web visitor specifically what is going on here in my state and with my case.

 

 This is the part that shows you care a little extra. Please take the time and go to some of these areas and let them know how you feel, and what they can do to help. Thanks so much. Also, contact any other person you wish. It is a free country still. SPECIALLY in my place!!

E-Mail Address for Nursing Organizations

Email Address for US Senate………………

E-Mail Address for US House of Representatives

 

Is a BEAR of a job but if you like you can also reach the whole Nation trough the air ways via Radio and TV Links

 

We the people can make changes.!!

And if you E-Mail this Journalists will help us all. 

 

 

************* NOTE OF INTEREST *********************

I have been caring for the American Way of life for a while now.... you can see the other part of me on the other Web Site that I also maintain. That Web-Site deal's with the POW/MIA Issue Please visit it and get involved there are still men left behind and they need your help also. Visit " THE REAPER'S EDGE A POW's SCREAMED ECHO IN CYBERSPACE "


Back to starting page.

.Contacting Jose via E-ail..Mailto:onenurse@noangle.com

If you are doing word search document contains some of this words: Negligence, Psychiatric, abuse, of, power, collusion, Florida, department of health, Florida agency of healthcare administration, violation of civil rights, bad government bad psychiatry, warning to patients nurses, charter hospital, surviving psychiatry, deceptive, malpractice, weird, injustice, nursing, advocate, nursing code, ethics, legal rape, fraud, defrauding Medicaid, Medicare, Institutions, federal, outrage, criminal, disbelief, Human, health, services, personal, disregard, reporting, crime, trouble, revenge, sexual, consent, permission, renegade, rebuttal, journalism, independence, militia, revolution, inspection, perception, rejection, repugnant, personal, integrity, professional, pervert, prostitution, system, board of nursing, freedom, seclusion, restraint, medication, psychotropic, intimidation, feminism , repulsion, judicial, regulation, self-esteem , corporate, individual, actions, reactions, pervasive, reluctant, devil, worship, rape, drunkenness, cross-dressing, gay, lesbian, protection, persuasion, despair, rejection, opposition, ignorance, reprisal, depotism, dependence, independence, parent, child, bastard, protection, consumer, deception, outrage, insult, intelligence, intervention, guilt, obstruction, political, embarrassment, depotism, nazi, mad, upset, sadist, masochist, disruption, life, important, decision, autonomy, obligation, WESH, wesh-2, WCPX, wcpx-6, wkmg, wkmg-6, WFTV, wftv-9, ABC, CBS, NBC, network, television, programming, reporting, broadcasting, broadcast media, newspaper, article, story. Managed care, HMO, trust, Public, servant, malpractice, aclu,1st amendment, constitution, betrayal, liberty, assumption, alleged, antitrust, monopoly, indigent, help, accuracy, independent, love, caring, hate, disobedience, feminism, feminist, chauvinistic,

Back to starting page.